According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL     pointer dereference because it lacks a pointer check     before an ide_cancel_dma_sync call.(CVE-2020-25743)

  - pci_change_irq_level in hw/pci/pci.c in QEMU before     5.1.1 has a NULL pointer dereference because     pci_get_bus() might not return a valid     pointer.(CVE-2020-25742)

  - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows     guest OS users to trigger an assertion failure. A guest     can crash the QEMU process via packet data that lacks a     valid Layer 3 protocol.(CVE-2020-27617)

  - address_space_map in exec.c in QEMU 4.2.0 can trigger a     NULL pointer dereference related to     BounceBuffer.(CVE-2020-13659)

  - A reachable assertion issue was found in the USB EHCI     emulation code of QEMU. It could occur while processing     USB requests due to missing handling of DMA memory map     failure. A malicious privileged user within the guest     may abuse this flaw to send bogus USB requests and     crash the QEMU process on the host, resulting in a     denial of service.(CVE-2020-25723)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop     when a TD list has a loop.(CVE-2020-25625)

  - In QEMU through 5.0.0, an assertion failure can occur     in the network packet processing. This issue affects     the e1000e and vmxnet3 network devices. A malicious     guest user/process could use this flaw to abort the     QEMU process on the host, resulting in a denial of     service condition in net_tx_pkt_add_raw_fragment in     hw/net/net_tx_pkt.c.(CVE-2020-16092)

  - In QEMU 5.0.0 and earlier, megasas_lookup_frame in     hw/scsi/megasas.c has an out-of-bounds read via a     crafted reply_queue_head field from a guest OS     user.(CVE-2020-13362)

  - The (1) v9fs_create and (2) v9fs_lcreate functions in     hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local     guest OS privileged users to cause a denial of service     (file descriptor or memory consumption) via vectors     related to an already in-use fid.(CVE-2017-7377)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in     hw/audio/es1370.c does not properly validate the frame     count, which allows guest OS users to trigger an     out-of-bounds access during an es1370_write()     operation.(CVE-2020-13361)

  - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU     before 07-20-2020 has a buffer overflow. This occurs     during packet transmission and affects the highbank and     midway emulated machines. A guest user or process could     use this flaw to crash the QEMU process on the host,     resulting in a denial of service or potential     privileged code execution. This was fixed in commit     5519724a13664b43e225ca05351c60b4468e4555.(CVE-2020-1586     3)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based     buffer over-read via values obtained from the host     controller driver.(CVE-2020-25624)

  - rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not     validate the relationship between two addresses, which     allows attackers to trigger an invalid memory copy     operation.(CVE-2020-13765)

  - An out-of-bounds read/write access flaw was found in     the USB emulator of the QEMU in versions before 5.2.0.
    This issue occurs while processing USB packets from a     guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out     routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the     potential execution of arbitrary code with the     privileges of the QEMU process on the     host.(CVE-2020-14364)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

EulerOS Virtualization 3.0.6.6 : qemu (EulerOS-SA-2021-1455)

medium Nessus Plugin ID 147490

No changelogs found